Add Akeyless Secret Store/SSH Plugin

.flake8

@@ -117,6 +117,11 @@ per-file-ignores =
   # additionally test docstrings don't need param lists (DAR, DCO020):
   tests/**.py: DAR, DCO020, S101, S105, S108, S404, S603, WPS202, WPS210, WPS430, WPS436, WPS441, WPS442, WPS450
 
+  # WPS202: two-plugin module (secret store + SSH) with Protocol types, TypedDicts,
+  # and multiple helpers per plugin; could be split into a sub-package later.
+  # WPS238: auth + fetch each wrap ApiException and ValueError into RuntimeError.
+  src/awx_plugins/credentials/akeyless.py: WPS202, WPS238
+
   # The following ignores must be fixed and the entries removed from this config:
   src/awx_plugins/credentials/aim.py: ANN003, ANN201, B950, CCR001, D100, D103, LN001, Q003, WPS210, WPS221, WPS223, WPS231, WPS336, WPS432
   src/awx_plugins/credentials/aws_secretsmanager.py: ANN003, ANN201, D100, D103, WPS111, WPS210, WPS329, WPS529

.gitignore

@@ -328,3 +328,4 @@ pip-selfcheck.json
 
 # lockfile scripts
 !/bin/
+.python-version

.mypy.ini

@@ -62,6 +62,12 @@ warn_unused_ignores = true
 # crashes with some decorators like `@functools.cache`:
 disallow_any_expr = false
 
+[mypy-awx_plugins.credentials.akeyless]
+# gettext_noop() from the interfaces package returns Any:
+disallow_any_expr = false
+# _plugin.CertFiles is untyped in the interfaces package:
+disallow_untyped_calls = false
+
 [mypy-awx_plugins.credentials.aws_secretsmanager]
 # crashes with some decorators like `@functools.cache`:
 disallow_any_expr = false

.pre-commit-config.yaml

@@ -323,6 +323,7 @@ repos:
     - pytest-mock  # needed by pylint-pytest since it picks up pytest's args
     - pytest-subtests  # needed by pylint-pytest since it picks up pytest's args
     - pytest-xdist  # needed by pylint-pytest since it picks up pytest's args
+    - akeyless >= 5.0.8  # needed by credentials.akeyless and its tests
     - python-dsv-sdk  # needed by credentials.dsv, credentials.thycotic_dsv
     - PyYAML  # needed by credentials.injectors, inventory.plugins
     - Sphinx  # needed by the Sphinx extension stub

.pylintrc.toml

@@ -106,7 +106,10 @@ py-version = "3.11"
 # source root is an absolute path or a path relative to the current working
 # directory used to determine a package namespace for modules located under the
 # source root.
-# source-roots =
+# Complements init-hook: init-hook adjusts runtime sys.path while source-roots
+# controls pylint's static module discovery, preventing it from resolving
+# akeyless.py as the top-level 'akeyless' package instead of the SDK.
+source-roots = ["src"]
 
 # Allow loading of arbitrary C extensions. Extensions are imported into the
 # active Python interpreter and may run arbitrary code.

.ruff.toml

@@ -173,6 +173,9 @@ testing = [
   "S101",    # Allow use of `assert` in test files
   "S105",    # hardcoded-password-string
   "S106",    # hardcoded-password-func-arg
+  "S107",    # hardcoded-password-func-default: test helper factories use
+             # credential-like param names (token, secret_data) as configurable
+             # defaults — these are never real credentials
   "S108",    # tmp dirs
   "S404",    # Allow importing 'subprocess' module to testing call external tools needed by these hooks
   "S603",    # subprocess calls

_type_stubs/akeyless/__init__.pyi

@@ -0,0 +1,72 @@
+from collections.abc import Mapping
+
+class Configuration:
+    host: str
+    ssl_ca_cert: str | None
+    verify_ssl: bool
+    def __init__(self, host: str = ...) -> None: ...
+
+class ApiClient:
+    user_agent: str
+    default_headers: dict[str, str]
+    def __init__(self, configuration: Configuration | None = ...) -> None: ...
+
+class Auth:
+    access_id: str
+    access_key: str
+    def __init__(
+        self,
+        *,
+        access_id: str = ...,
+        access_key: str = ...,
+    ) -> None: ...
+
+class AuthOutput:
+    token: str | None
+
+class StaticSecretInfo:
+    format: str
+
+class ItemGeneralInfo:
+    static_secret_info: StaticSecretInfo
+
+class DescribeItemOutput:
+    item_type: str
+    item_sub_type: str
+    item_general_info: ItemGeneralInfo
+
+class DescribeItem:
+    name: str
+    token: str
+    def __init__(
+        self,
+        *,
+        name: str = ...,
+        token: str = ...,
+    ) -> None: ...
+
+class GetSecretValue:
+    names: list[str]
+    token: str
+    def __init__(
+        self,
+        *,
+        names: list[str] = ...,
+        token: str = ...,
+    ) -> None: ...
+
+class GetSSHCertificateOutput:
+    data: str | None
+
+class V2Api:
+    def __init__(self, api_client: ApiClient | None = ...) -> None: ...
+    def auth(self, auth: Auth) -> AuthOutput: ...
+    def describe_item(self, req: DescribeItem) -> DescribeItemOutput: ...
+    def get_secret_value(
+        self,
+        req: GetSecretValue,
+    ) -> Mapping[str, str]: ...
+    def get_ssh_certificate(
+        self,
+        req: object,
+    ) -> GetSSHCertificateOutput: ...

_type_stubs/akeyless/models/get_ssh_certificate.pyi

@@ -0,0 +1,15 @@
+class GetSSHCertificate:
+    token: str
+    cert_issuer_name: str
+    cert_username: str
+    ttl: int | None
+    public_key_data: str
+    def __init__(
+        self,
+        *,
+        token: str = ...,
+        cert_issuer_name: str = ...,
+        cert_username: str = ...,
+        ttl: int | None = ...,
+        public_key_data: str = ...,
+    ) -> None: ...

_type_stubs/akeyless/rest.pyi

@@ -0,0 +1,9 @@
+class ApiException(Exception):  # noqa: N818
+    status: int
+    reason: str
+    def __init__(
+        self,
+        status: int = ...,
+        reason: str = ...,
+        http_resp: object | None = ...,
+    ) -> None: ...

docs/conf.py

@@ -240,6 +240,12 @@
     ('py:class', '_PT'),  # generic ParamSpec type variable
     ('py:class', '_contextvars.ContextVar'),  # unresolved context var type
     ('py:class', 'EnvVarsType'),
+    # Akeyless SDK types: auto-generated from OpenAPI
+    # without type annotations or .pyi stubs
+    ('py:class', 'akeyless.models.auth.Auth'),
+    ('py:class', 'akeyless.models.describe_item.DescribeItem'),
+    ('py:class', 'akeyless.models.get_secret_value.GetSecretValue'),
+    ('py:class', 'akeyless.models.get_ssh_certificate.GetSSHCertificate'),
 ]
 
 

docs/spelling_wordlist.txt

@@ -1,3 +1,4 @@
+Akeyless
 Ansible
 Approle
 async

pyproject.toml

@@ -77,6 +77,8 @@ centrify_vault_kv = "awx_plugins.credentials.centrify_vault:centrify_plugin"
 thycotic_dsv = "awx_plugins.credentials.dsv:dsv_plugin"
 thycotic_tss = "awx_plugins.credentials.tss:tss_plugin"
 aws_secretsmanager_credential = "awx_plugins.credentials.aws_secretsmanager:aws_secretmanager_plugin"
+akeyless = "awx_plugins.credentials.akeyless:akeyless_plugin"
+akeyless_ssh = "awx_plugins.credentials.akeyless:akeyless_ssh_plugin"
 github_app_lookup = "awx_plugins.credentials.github_app:github_app_lookup"
 
 [project.entry-points."awx_plugins.managed_credentials"] # new entry points group name
@@ -189,6 +191,14 @@ credentials-aws-secretsmanager-credential = [
   "awx_plugins.interfaces",
   "boto3",
 ]
+credentials-akeyless = [
+  "awx_plugins.interfaces",
+  "akeyless >= 5.0.8",
+]
+credentials-akeyless-ssh = [
+  "awx_plugins.interfaces",
+  "akeyless >= 5.0.8",
+]
 inventory-azure-rm = [
   "awx_plugins.interfaces",
   "PyYAML",